The worst thing that organizations can do is take a hard stance with their cybersecurity efforts. The digital threat landscape is constantly evolving. If organizations settle into a viewpoint, they could elevate one source of risk into something unrealistic—all while missing other digital threats.

This reflects just how much assumptions drive cybersecurity-related decisions. Forbes put it this way: “Risk assessment, budgetary needs and priorities are the outcome of hypothetical debates and are subject to internal pressures and politics. Both security professionals and business executives continuously seek solutions or methodologies that will put a $ sign next to their investment, as well as risk.”

Subsequently, it’s not a surprise that there are some open questions in cybersecurity around where organizations can take their strategies in the next few years. Here’s a recap of five open questions that are currently shaping the cybersecurity space and how we are seeing these addressed in the industry.

1. Do Passwords Do More Harm than Good?

Technology firms like Microsoft are abandoning the password for three reasons. First, they’re looking to Single Sign-On (SSO) and other technologies that don’t hamper their workers’ experience and productivity as much as traditional password-based identity protection. Second, passwordless authentication makes it easier for organizations to defend their authorized accounts against brute-forcing, credential stuffing and other attack attempts that rely on guessing weak passwords. Third, organizations are choosing to embrace multi-factor authentication (MFA) and other controls as a way of limiting what a malicious actor could do with a compromised password.

But there are risks involved with implementing passwordless authentication. For instance, fingerprint readers, biometric scanners and other security measures provide new targets that attackers can potentially misuse to access user data. Passwordless authentication also does not exempt organizations and users from phishing attacks, scams and identity theft.

Notwithstanding those risks, passwordless authentication is here to stay. Organizations, therefore, need to understand its associated benefits and risks so that they can best protect their users going forward.

2. Do Firewalls Serve Any Purpose for Zero Trust?

The answer is nuanced. Traditional firewalls can’t protect organizations against threats that infiltrate the network. As such, they can’t help organizations uphold zero trust.

But the same doesn’t apply to next-generation firewalls (NGFWs). These types of firewalls can complement zero trust by functioning as segmentation gateways, multifaceted tools which leverage network access tools, micro-segmentation, web application firewalls and other functionalities to enforce zero trust. Segmentation gateways operate at the center of the network, not at the perimeter. In doing so, they provide insight into data access that infosec teams can use to spot a potential attack before it evolves into a security incident.

3. Can Cyber Ranges Help Organizations?

Demand for cyber ranges increased after organizations shifted to remote/hybrid work in 2020 and following high-profile attacks like the Colonial Pipeline incident. It’s important to keep in mind that not every organization needs a cyber range on a long-term basis. Some just can’t justify the cost of building and maintaining one.

That said, cyber ranges do carry benefits. They provide a means through which organizations can improve the level of coordination and experience of their security teams, for instance. Through cyber ranges, infosec personnel can immerse themselves in real attack scenarios and explore what a live response would entail. Cyber ranges also help organizations to satisfy the compliance standards and mandates established by the National Institute of Standards and Technology (NIST) and other bodies.

Organizations just need to remember that not every cyber range is created equally. With that in mind, they need to figure out which type of cyber range fits their security needs. From there, they can build and maintain a solution that works for them.

4. Is a Traditional Career Path Required for Security Pros?

Not even a little bit. Infosec personnel come from all types of backgrounds such as playing poker online, serving in the military and obtaining music degrees. These experiences have helped to inform security professionals’ work, giving the community fresh perspectives with which they can protect organizations’ systems and data. This is to say that anyone can forge a career in cybersecurity.

5. What Can Developers Do to Ensure Their Organization’s Security?

There’s a lack of cohesion around who’s responsible for security. Many security professionals don’t trust the ability of developers to write secure code, for instance. Meanwhile, developers don’t feel they have the proper guidance to uphold security for their employers.

These viewpoints underscore a lack of clarity around digital defense in the workplace. In a recent survey conducted by GitLab, for instance, about a third of security personnel said that they were responsible for security. Nearly three in 10 participants said everyone in the organization was equally responsible, while 21% said the onus was on developers specifically.

Clearly, something needs to be done. Most developers are releasing software and apps more quickly today than they did just a few years ago. This highlights the opportunity for developers to play a role in contributing to their organization’s security.

The key is for security experts and developers to work together as partners for the purpose of achieving secure code. One of the ways they can do that is to expose the services they provide through a seamless API consumption-based model. Doing so will make it easier for developers to blend security naturally into the software development life cycle.

Additionally, organizations can make sure that they’re providing security awareness training to their developers. These employees won’t be able to function as a full partner in DevSecOps unless they understand the security risks confronting them. With that in mind, organizations need to approach DevSecOps as an opportunity to foster a collaborative and inclusive security culture.

Cybersecurity Is Always Changing

The questions discussed above might not be open or debatable several years from now, but they give something for organizations to consider in the meantime. Fortunately, the security industry is a community. As such, we’ll continue to explore these issues as a community going forward.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…